In my last blog, I discussed establishing security policies. Following Gary Miliefsky's article, the next step I'd like to discuss is the issue of security awareness organization-wide. Even with the best desktop management solution in place that patches systems, protects against malware, restricts access to removable storage, and locks down the desktop to limit user ability, users still need to be aware of a few issues that will enhance the security you've established as well as help users understand why the security is in place:
- Corporate Security Policies - Cover password policies (such as how often passwords are changed, minimum complexity requirements, etc), use of "confidential" information, discuss the security configuration of their desktop and why it is the way it is, etc.
- Online Do's and Don'ts - discuss the threat of phishing scams, questionable sites that attempt to install malicious software, etc.
- Acceptable Use Policies - Often performing business tasks online never puts the organization at risk (the users are going to known sites to perform tasks, etc) so the issue of "can I pay my bills online from work" etc. should be addressed.
- Legal Concerns - if you have a General Counsel in-house, have them discuss any issues they are aware of that can impact the organization. For example, if you are a publically traded company, ensuring information that can be misconstrued as insider information needs to be sent via trackable methods (e.g. and email system that is being archived).
- Security Breaches - discuss what to do in the event a user recognizes security has been broken - a shared password, the "accidental" installation of suspected malware, etc. Letting users know they won't lose their job for telling the truth can often lead to a faster resolution of the situation and a more secure network overall.
So how are you suppose to convey these messages? There are a few "old school" methods such as:
- Scheduled Meetings
- Acceptable Use Handbooks
- Company-wide Email Blasts
But the company of today faces challenges in getting everyone into one room to ensure the message is heard. Here are several other more high-tech methods:
- Setup a Security Awareness Portal - use Windows SharePoint Services, Microsoft's free version of SharePoint Portal Server. You can host this on any modern Windows server OS. You can also use products like Drupal and WordPress are free blog/portal sites you can install on just about any web server.
- RSS Feeds - if you can't make the users come to the portal, take the portal to the users. Outlook 2007 supports RSS Feeds, as well as about a thousand more feed readers. Users can pull down updated content relevant to them. This provides for a more custom experience for the user.
- Webinars - Use GoToMeeting, LiveMeeting or Webex to setup a live webinar to promote your security message. These solutions allow for asking questions, showing slide decks, a computer desktop (for demonstration of any security do's and don'ts).
Use these methods to keep employees up to date on not just the latest corporate policies, but on the lates scams, viruses, patches that will be placed on their systems (and when), etc. Putting all of this together will make your employees a part of your security strategy, not the reason for it.
0 comments:
Post a Comment